In March of 2005, ad technology company United Virtualities boasted that it could track Web users through a "pie," or persistent identification element," that would remain on people's computers even
if they deleted their cookies.
At the time, the company bragged that the pie -- a
Flash cookie, also known as a local shared object, which is stored in a different place in the browser than an HTTP cookie -- wouldn't be deleted from any then-available anti-adware or spyware-removal
program.
Fast-forward to the present: Dozens of companies are facing potential class-action lawsuits for allegedly circumventing people's privacy choices by using Flash to create erased HTTP
cookies. Federal Trade Commission officials are blasting companies for bypassing users' settings. Congress is probing Web companies' online tracking methods -- including, specifically, the use of
Flash.
But even as lawmakers and other officials investigate the 5-year-old pie, new tracking technology is emerging that could prove even more controversial.
Among the latest is
programmer Samy Kamkar's evercookie, created to demonstrate just how easily a company can track people regardless of their preferences. "Simply think of it as
cookies that just won't go away," he writes in a post explaining the tool. "If the user deletes their standard HTTP cookies, LSO (local shared objects) data, and all HTML5 storage, the PNG cookie and
history cookies will still exist. Once either of those are discovered, all of the others will come back (assuming the browser supports them)."
Kamkar himself makes it clear that he's no fan
of this type of forced tracking; he tells The New York Times: "I should also be able to opt out because
it is my computer." Still, if Kamkar thought of it, probably others did too. If not, they certainly know about it now.
But that's only one possible new tracking technology. Consider, the
Electronic Frontier Foundation recently said that the vast majority of Web users' browsers are unique and
trackable. In other words, even if users erase their cookies, they can be tracked based on the characteristics of their browsers -- without their consent.
Currently no law requires companies
to allow users to opt out of tracking, which means that evercookie is legal in the U.S., as are browser-based identifications. But don't expect five more years to pass before policymakers tackle the
subject. Congress and the FTC are far more attuned to online privacy now than in 2005, when Flash cookies were first proposed as tracking mechanisms. What's more, the plaintiffs' bar has taken an
interest in online privacy in the last two years, suing companies ranging from Google to Amazon to NebuAd for alleged privacy violations.
Still, whether companies will be less eager to deploy
evercookie (or other similarly hard-to-control tracking mechanisms) than older forms of tracking remains to be seen.